Who’s Seen My Health Care Information?

On May 27, the United States Department of Health and Human Services (HHS) issued a proposed regulation (the Proposed Rule) that would amend the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule to provide patients with more information about who has accessed their protected health information (PHI). The Proposed Rule is the latest in a series of regulatory changes HHS is making in response to the Health Information Technology for Economic and Clinical Health (HITECH) Act .

Some of you may already be familiar with HIPAA’s “accounting of disclosures” provision. The provision requires health plans and health care providers, upon request, to give patients a list of the disclosures of their PHI. This “accounting” must describe, among other things, when the PHI was shared, for what purpose and who received it.

Under existing rules, accountings do not have to include the most common disclosures that covered entities make: those for treatment, payment and health care operations. Many covered entities have claimed that even this limited accounting obligation is burdensome. But privacy advocates have argued that the routine disclosures should be accounted for as well, especially if they are made using electronic record systems that have the capacity to automatically track disclosures.

The Proposed Rule weighs in on the side of the privacy advocates by requiring covered entities to give patients an “access report” that lists who has accessed their PHI in an electronic designated record set (that is medical records, billing records or other information that is used by covered entities to make payment or treatment decisions and that is maintained electronically) for any purpose, including treatment, payment and health care operations.

If a patient requested an access report, a covered entity would have to include the following information:

The date and time of access;

The name of the natural person (if available) or the name of the entity accessing the electronic designated record set information;

A description of what information was accessed (if available); and

A description of the action by the user, if available (e.g., create, modify, access or delete).

There is significant debate about how difficult it will be for covered entities to provide this new access report. HHS has stated that covered entities are already supposed to be electronically tracking much of the information required in the new access report under the HIPAA Security Rule in order to generate required audit trails. But the extent to which covered entities actually do this is unclear.

In a nod to concerns expressed by covered entities, the Proposed Rules would also streamline the Privacy Rule’s current accounting of disclosures provision. For example, the Proposed Rule excludes research disclosures from the accounting requirement in response to complaints that it is difficult for providers to track the large number of records accessed in many research projects.

From the Project HealthDesign perspective, it is important to know that today, very few patients take advantage of their right to know who has seen their health information. Indeed, covered entities often point to the small number of accounting requests to support their arguments that the accounting requirement is unduly burdensome. But as patient-generated information like observations of daily living (ODLs) become more integrated into clinical health records, patients may take greater notice of their right to know who sees their health information and for what purposes.

For a more detailed summary of the Proposed Rule, please read the summary I wrote with my colleague Susan Ingargiola.

On May 27, the United States Department of Health and Human Services (HHS) issued a proposed regulation (the Proposed Rule) that would amend the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule to provide patients with more information about who has accessed their protected health information (PHI). The Proposed Rule is the latest in a series of regulatory changes HHS is making in response to the Health Information Technology for Economic and Clinical Health (HITECH) Act .

Some of you may already be familiar with HIPAA’s “accounting of disclosures” provision. The provision requires health plans and health care providers, upon request, to give patients a list of the disclosures of their PHI. This “accounting” must describe, among other things, when the PHI was shared, for what purpose and who received it.

Under existing rules, accountings do not have to include the most common disclosures that covered entities make: those for treatment, payment and health care operations. Many covered entities have claimed that even this limited accounting obligation is burdensome. But privacy advocates have argued that the routine disclosures should be accounted for as well, especially if they are made using electronic record systems that have the capacity to automatically track disclosures.

The Proposed Rule weighs in on the side of the privacy advocates by requiring covered entities to give patients an “access report” that lists who has accessed their PHI in an electronic designated record set (that is medical records, billing records or other information that is used by covered entities to make payment or treatment decisions and that is maintained electronically) for any purpose, including treatment, payment and health care operations.

If a patient requested an access report, a covered entity would have to include the following information:

The date and time of access;

The name of the natural person (if available) or the name of the entity accessing the electronic designated record set information;

A description of what information was accessed (if available); and

A description of the action by the user, if available (e.g., create, modify, access or delete).

There is significant debate about how difficult it will be for covered entities to provide this new access report. HHS has stated that covered entities are already supposed to be electronically tracking much of the information required in the new access report under the HIPAA Security Rule in order to generate required audit trails. But the extent to which covered entities actually do this is unclear.

In a nod to concerns expressed by covered entities, the Proposed Rules would also streamline the Privacy Rule’s current accounting of disclosures provision. For example, the Proposed Rule excludes research disclosures from the accounting requirement in response to complaints that it is difficult for providers to track the large number of records accessed in many research projects.

From the Project HealthDesign perspective, it is important to know that today, very few patients take advantage of their right to know who has seen their health information. Indeed, covered entities often point to the small number of accounting requests to support their arguments that the accounting requirement is unduly burdensome. But as patient-generated information like observations of daily living (ODLs) become more integrated into clinical health records, patients may take greater notice of their right to know who sees their health information and for what purposes.

For a more detailed summary of the Proposed Rule, please read the summary I wrote with my colleague Susan Ingargiola.